Highly sensitive US military data is being offered for sale online, after a hacker exploited certain Netgear routers located in ‘military facilities’.

This was the revelation from US threat intelligence firm Recorded Future, which discovered the documents for sale on the dark web whilst it was “monitoring criminal activity on deep and dark web forums and marketplaces.”

It said that the documents had been stolen because military IT departments had not changed the default FTP password on certain Netgear routers.

Netgear R7000

Military secrets

Among the military documents stolen by the hacker, include maintenance course books for servicing MQ-9 Reaper drones, and various training manuals describing deployment tactics for improvised explosive devices (IED)s.

Also for sale are an M1 ABRAMS tank operation manual, a crewman training and survival manual, and a document detailing tank platoon tactics.

And to rub salt in the wound, the hacker is asking between $150 and $200 for the lot, far less than usual for such sensitive data.

“On June 1, 2018, while monitoring criminal actor activities on the deep and dark web, Recorded Future’s Insikt Group identified an attempted sale of what we believe to be highly sensitive US Air Force documents,” blogged the firm. “Specifically, an English-speaking hacker claimed to have access to export-controlled documents pertaining to the MQ-9 Reaper unmanned aerial vehicle (UAV).

According to Recorded Future, it engaged with the hacker and “confirmed the validity of the compromised documents.”

The hacker also acknowledged another breach involving a large number of military documents from an unidentified officer. Those documents contained a second dataset including the M1 Abrams maintenance manual, a tank platoon training course, a crew survival course, and documentation on improvised explosive device (IED) mitigation tactics.

Default passwords

Insikt Group analysts then apparently learned that the hacker used a widely known tactic of gaining access to vulnerable Netgear routers with improperly setup FTP login credentials.

Essentially, the hacker used Shodan, a search engine that lets the user find specific types of computers (webcams, routers, servers, etc.) connected to the internet using a variety of filters. Using this search engine the hacker tracked down specific types of Netgear routers that use a known default FTP password.

The hacker used this FTP password to gain access to some of these routers, some of which were apparently located in military facilities.

One such military facility was the 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at the Creech AFB in Nevada.

The issue concerning Netgear routers using a set of default FTP credentials has been known since 2016 when a security researcher raised the alarm about it.